This Week in Geopolitics

Equifax and Our Broken Computer Industry

The Equifax hack ought to have been the last straw in the saga of our inept computer industry. Critical information on the vast majority of American families was compromised. To say that this was not a rare phenomenon understates it. There has been an endless array of stolen information, from the recent theft of still proprietary stock information from the Commerce Department to the theft of emails from the Democratic National Committee.

The probability that information committed to computers will remain confidential has become slim at best. It must be assumed that if people wish to steal information, they will.

Before we begin…

Have you secured your place at Rising and Falling Powers: Separating Signal from Noise? If not, I invite you to do so as soon as possible. Tuesday, September 26 is the last day you can get a ticket at the lowest price.

Through midnight tomorrow, you can take advantage of our early-bird discount to secure your seat for $1,295. That’s a $200 savings off the standard $1,495 rate. However, there are only a few discounted tickets remaining.

If you want to participate in an exciting day of debate on crucial geopolitical and investing issues, then please join us on October 25 at the Yale Club in New York City. This conference will help you see the world—its opportunities and its risks—with much more clarity and confidence.

The “Stupid User” Defense

The computer industry has developed a defense that most industries have tried at one point or another: the “stupid user” defense. When a hack occurs, the spotlight turns to the victim, who is said to be responsible for preventing such attacks. Consider my favorite attack: phishing. A phishing attack happens when someone receives an email and clicks on a malicious link contained in the email. This triggers a process where the program linked to the email searches for, finds, and transmits information from the computer to the sender of the email.

The view of the computer industry is that the responsibility for this attack rests with the stupid user who clicked on the link. The computer industry has made it clear that you should never click on a link from an unknown sender. Announcing this has discharged the industry’s responsibility. But assume that a company had 5,000 employees. The probability that one person out of 5,000 would not click on the link is near zero. An effectiveness rate of 99.98% in preventing clicks would not be enough to prevent potential disaster. A business or individual would have to prevent all mistakes perfectly and permanently.

At a higher level, the industry blames the stupid administrator. The security sold with servers, laptops, and the rest is primitive. In selling the equipment, the rule is caveat emptor, let the buyer beware. It is the job of the IT administrator not only to keep things running but also to acquire and maintain a host of security hardware and software to keep the system secure. The problem is not that these tools are fiendishly expensive but that they constantly become obsolete and have to be reconfigured or replaced.

Attackers’ Advantages

There is a cadre of criminals and vandals that is constantly trying to circumvent security systems. The advantage is with the attacker. The defender must reconfigure his system to meet a new attack, which the attacker will make certain is novel and therefore not anticipated. This new attack must be detected by users and communicated among them, then a defense must be developed and implemented. This process takes days or weeks.

For midsized and small businesses, maintaining constant awareness of new attacks and having the expertise to block them is absurd. And for the very largest businesses, the resources are never enough to prevent all errors in protection. If the attacker fails, no one knows about it and he will live to fight another day. If the defender fails—and the computing system is so shabbily built that it generates failures by its own lack of sophistication—he is all over the front pages.

We all know that computing systems are liable to attack. We also know that the system is designed for failure. At some point, someone will commit an error and click on a malicious link. Given the increasing tempo of attacks, expecting that administrators will never fall behind the curve is ridiculous. We also know that computer companies have pushed the responsibility for security on users, telling them to acquire third-party software and hardware. Security not only costs significant amounts of money, but it also requires expertise in acquiring, integrating, and configuring the equipment. Finally, the third parties are themselves liable to error.

The problem, as I have written before, has to do with the primitive nature of computers. The basic structure of hardware and software was created to allow upgrades and third-party software to run on the systems. Since much of this came from outside vendors, authenticating the legitimacy of the code was difficult. It still is difficult. Computers can play vastly complex games, but they cannot identify malicious code. Computer companies solve the lack of evolution in computer security by pointing at the users. Try this in any other industry and I am reasonably certain that the lawsuits would be flying, regardless of what the fine print on contracts said.

But it is not just the legal issue—although I am fascinated that no one that I know of has brought suits against the computer industry for knowingly selling defective products. Rather, my concern is geopolitical. The world has become utterly dependent on computing. I am typing this on a computer, and my personal information was compromised on a computer. The attacks are mounting, and the vulnerability of our financial and military systems—and those of the rest of the world—are not only vulnerable but under constant attack. We cannot abandon computing, nor can we risk the consequences of using these systems. Nor will the “stupid user” explanation work when most users are as ignorant of computing as they are of the internal combustion engine.

The computer and the car have become utilities where the manufacturers are given great value by society. Cars have roads, and computers have access to the Internet. Both have utilitarian necessity. But cars are expected to maintain certain safety features. It would seem reasonable that an industry whose failures can wreak havoc globally should be expected to build security into its own systems.

And finally…

Remember, early-bird tickets for Rising and Falling Powers will no longer be available after tomorrow. And they may not even be available then: Attendance is strictly limited to 120 guests, and tickets are selling fast. So there’s no time to waste—if you wish to attend, please reserve your ticket today. I hope to see you there.

Discuss This

Comments

thomas thomson

Sep. 25, 2017, 11:15 p.m.

The problem is not 3rd party software per se—- rather that advertisers want to run code snippets & everybody wants their tracking software to run. I have never picked up a bug updating OS & etc. from Apple. They always ask ” do you want to allow .....”
If your mail and/or browser asked if you wanted to allow code execution each time some third party wanted to execute code this would be solved. But then, we would have to pay for the internet.

Matt Taylor

Sep. 25, 2017, 5:38 p.m.

Security breaches (this Equifax breach included) are usually due to IT departments neglecting to install security patches to fix known vulnerabilities in a timely manner. Installing security patches in a timely manner is not difficult, but it costs money. I suspect that IT departments do not have sufficient funding or training, or their priorities are out of whack. In any case it all boils down to a management problem. Security is rarely given sufficient priority because it is not a profit center.

Perhaps George could tell us if the large Stratford breach of a few years ago (in which my data was lost, including my credit card number) boiled down to a management problem that could have been avoided if security had been given a higher priority.

Darrell Fisk

Sep. 25, 2017, 2:14 p.m.

Skip, you may be right about competition solving the problem but it hasn’t. You may remember way back when the government sued Microsoft to make their systems accessible by third party vendors. Those access points quickly turned into vulnerabilities. Apple has fewer likely because they can keep their systems more closed. I got my first job doing systems development in 1972. The development since then has been mind boggling. I doubt that human error with computers will be eliminated any time soon. Folks still manage to kill many tens of thousands Of people every year with cars through poor judgement.

Use of this content, the Mauldin Economics website, and related sites and applications is provided under the Mauldin Economics Terms & Conditions of Use.

Unauthorized Disclosure Prohibited

The information provided in this publication is private, privileged, and confidential information, licensed for your sole individual use as a subscriber. Mauldin Economics reserves all rights to the content of this publication and related materials. Forwarding, copying, disseminating, or distributing this report in whole or in part, including substantial quotation of any portion the publication or any release of specific investment recommendations, is strictly prohibited.
Participation in such activity is grounds for immediate termination of all subscriptions of registered subscribers deemed to be involved at Mauldin Economics’ sole discretion, may violate the copyright laws of the United States, and may subject the violator to legal prosecution. Mauldin Economics reserves the right to monitor the use of this publication without disclosure by any electronic means it deems necessary and may change those means without notice at any time. If you have received this publication and are not the intended subscriber, please contact service@mauldineconomics.com.

Disclaimers

The Mauldin Economics website, Thoughts from the Frontline, The Weekly Profit, The 10th Man, Connecting the Dots, Transformational Technology Digest, Over My Shoulder, Yield Shark, Transformational Technology Alert, Rational Bear, Street Freak, ETF 20/20, In the Money, and Mauldin Economics VIP are published by Mauldin Economics, LLC Information contained in such publications is obtained from sources believed to be reliable, but its accuracy cannot be guaranteed. The information contained in such publications is not intended to constitute individual investment advice and is not designed to meet your personal financial situation. The opinions expressed in such publications are those of the publisher and are subject to change without notice. The information in such publications may become outdated and there is no obligation to update any such information. You are advised to discuss with your financial advisers your investment options and whether any investment is suitable for your specific needs prior to making any investments.
John Mauldin, Mauldin Economics, LLC and other entities in which he has an interest, employees, officers, family, and associates may from time to time have positions in the securities or commodities covered in these publications or web site. Corporate policies are in effect that attempt to avoid potential conflicts of interest and resolve conflicts of interest that do arise in a timely fashion.
Mauldin Economics, LLC reserves the right to cancel any subscription at any time, and if it does so it will promptly refund to the subscriber the amount of the subscription payment previously received relating to the remaining subscription period. Cancellation of a subscription may result from any unauthorized use or reproduction or rebroadcast of any Mauldin Economics publication or website, any infringement or misappropriation of Mauldin Economics, LLC’s proprietary rights, or any other reason determined in the sole discretion of Mauldin Economics, LLC.

Affiliate Notice

Mauldin Economics has affiliate agreements in place that may include fee sharing. If you have a website or newsletter and would like to be considered for inclusion in the Mauldin Economics affiliate program, please go to http://affiliates.ggcpublishing.com/. Likewise, from time to time Mauldin Economics may engage in affiliate programs offered by other companies, though corporate policy firmly dictates that such agreements will have no influence on any product or service recommendations, nor alter the pricing that would otherwise be available in absence of such an agreement. As always, it is important that you do your own due diligence before transacting any business with any firm, for any product or service.